[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Other] Schwachstellen in Adobe Reader und Acrobat - APSB10-17

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung. Wir geben diese Informationen
unveraendert an Sie weiter.

CVE-2010-2862 - Integer Overflow Schwachstelle in Adobe CoolType.dll

  In dem Adobe Reader und Acrobat ist in der Bibliothek CoolType.dll
  eine Schwachstelle bei der Verarbeitung eines TrueType Schriftsatzes
  enthalten. Ein entfernter Angreifer kann diese Schwachstelle zum
  Ausfuehren beliebiger Befehle mit den Rechten des Anwenders ausfuehren,
  wenn er diesen dazu bringt ein entsprechend aufgebautes PDF zu oeffnen.

CVE-2010-1240 - Adobe Reader erlaubt die Ausfuehrung eingebetteter
Dateien

  Der Adobe Reader enthaelt eine Schwachstelle, welche die Ausfuehrung
  eingebetteter Dateien ermoeglicht. Dabei wird dem Benutzer des
  Programms ein Dialog angezeigt, der diesen auffordert, die Ausfuehrung
  der Datei zu bestaetigen. Ein Angreifer kann einige der Inhalte des
  Dialogfensters bestimmen und auf diese Weise versuchen, einen
  misstrauischen Benutzer zu ueberreden, eine nicht vertrauenswuerdige
  Datei auszufuehren.


Betroffen sind die folgenden Software Pakete und Plattformen:

  Adobe Reader 9.3.3
  Adobe Acrobat 9.3.3

  Adobe Reader 9.3.3 und aeltere Versionen fuer Windows, Macintosh und UNIX
  Adobe Acrobat 9.3.3 und aeltere Versionen fuer Windows und Macintosh


Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
	Torsten Voss

- --
 
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen               https://www.cert.dfn.de/autowarn

Security updates available for Adobe Reader and Acrobat

Release date: August 19, 2010

Vulnerability identifier: APSB10-17

CVE numbers: CVE-2010-2862, CVE-2010-1240

Platform: All Platforms
Summary

Critical vulnerabilities have been identified in Adobe Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.3 (and earlier versions) and Adobe Acrobat 8.2.3 (and earlier versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

These updates address CVE-2010-2862, which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. They also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.

Adobe recommends users of Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.4, Adobe has provided the Adobe Reader 8.2.4 update.) Adobe recommends users of Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.4. Adobe recommends users of Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.4.

Note that today's updates mentioned in this bulletin represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat is scheduled for October 12, 2010.
Affected software versions

    * Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX
    * Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh

Solution

Adobe recommends users update their software installations by following the instructions below:

Adobe Reader
Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Note: Adobe Reader 9.3.4 for Windows, Macintosh and UNIX will be available from the Adobe Reader Download Center at http://get.adobe.com/reader/ by August 31, 2010.

Adobe Acrobat
Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Acrobat Standard and Pro users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can also find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.

Acrobat 3D users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating

Adobe categorizes these as critical updates and recommends that users apply the latest updates for their product installations.
Details

Critical vulnerabilities have been identified in Adobe Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.3 (and earlier versions) and Adobe Acrobat 8.2.3 (and earlier versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.4. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.4, Adobe has provided the Adobe Reader 8.2.4 update.) Adobe recommends users of Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.4. Adobe recommends users of Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.4.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2010-2862).

These updates further mitigate a social engineering attack that could lead to code execution (CVE-2010-1240).

These updates incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.
Acknowledgements

Adobe would like to thank Tavis Ormandy of the Google Security Team for reporting CVE-2010-2862 and for working with Adobe to help protect our customers. 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkxyUYAACgkQWmhIvjFb90WBLQCcCPJiFOuksNArA5+REJ8V/WdO
UhoAn2Gp/rWa4s8/DU5XYy8vc8D7GUFW
=g6wi
-----END PGP SIGNATURE-----